I and my team encountered some bug.
Suppose I'm a list user (I can use PowerApps application that connected to the list), and I know the list exact URL
I can't access the list directly, only interact with it via PowerApps
But, if I create a new PowerApps application, choose SharePoint connector, and paste in the link. I can connect my app to the List and can freely access the data like an owner.
We tried to restrict 'Create PowerApps application' but it's impossible.
My company use SharePoint list to store a lot of important data so this is very important.
Power Apps will always respect SharePoint permissions and when connecting to SharePoint it will always do so under the context of the user who is using the App.
So if your users are having full access on the SharePoint list data from Power Apps, that also means they have full access on the SharePoint list
If this post helps answer your question, please click on “Accept as Solution” to help other members find it more quickly. If you thought this post was helpful, please give it a Thumbs Up.
Reza Dorrani, MVP
Users in my company don't have full access to SharePoint list, they are denied from viewing it directly on SharePoint. They can only interact with it via PowerApps. (they can only use some rows, other rows belong to other users)
But now, they can create a new PowerApps application of their own and connect to the List by pasting in the exact URL. They can view anything inside the list, ( by attaching it to a Gallery or so)
Sorry, not sure I follow 100%
The SharePoint connector runs under the context of the logged in user for PowerApps. This is often a problem because we would like to enforce the behaviour in point 1 - i.e. restrict users to only accessing the list via the Power App because the Power App applies some business logic that we don't want users bypassing by opening lists directly in SharePoint.
If you cannot see your teamsite how do you create your lists?
User do not need full access to SP. They need at least Contribute permissions to write and read. Contribute would be sufficient for a user to build an app over the top. If you want to restrict to specific users of a list, then you need to change teh permissions to that list by removing the Hierarchy and then Grant Permissions to those users.
PowerApps assumes you ability to build apps over data sources based on the permission of the data source. You then can restrict those users in your shares of the apps
Here is one for you to try. If you have teams - create a new team. Every Team by default creates Teams Site in SP. If you created the team you are then the owner of the SP Team site as well. You can go to this team site but Selecting your Team then one of teh channels, then the three dots menu. This will have a choice to open in SharePoint. Would be interetsed if you cann see that as well
Sorry I don't really understand what you said.
As users in my company are only allow to interact with SharePoint List via PowerApps that are create by us (the dev team) (they cannot see it all directly in sharepoint website).
But if they use the trick they can see and manipulate the list freely
The trick here is to create a new app and connect to sharepoint (they can't find the list but they can paste in the link of the list and connect).
In their new app they can do anything with the list
I'm afraid I think the trick is in the way that you are hiding the SP Lists from the users.
You are using a hack to try to get the behaviour that you want/need, but it is not 100% effective as SharePoint is not supposed to work that way.
If your data is important and you need proper control over it, it should be in a real database. Of course that also means moving to premium licensing (as database connectors are no longer included in standard license anymore) or moving to a different development tool.
Governance/Admin is not my strong suit, so hopefully someone will correct me if I am wrong, but I don't think you can. All users with a Power Apps 'license' applied (including the 'seeded' license required to run Power Apps) in O365 Admin centre can create Apps in the Default environment (you can lock them out of other environments, but not Default).
As far as I know, you cannot make a SharePoint list environment specific.
So you cannot prevent a user from getting to a SharePoint list where they have permissions and you cannot prevent a user with access to run Power Apps from also creating Power Apps and connecting them to SharePoint lists and editing any records to which they have permissions.
Sorry, but IMO SharePoint is completely unsuited to serious data requirements and you will just create a lot of work for yourself by trying to get it to work the way you want/need.
Reopen responsibly, monitor intelligently, and protect continuously with solutions for a safer work environment.
Check out the winners of the recent 'Can You Solve These?' community challenge!
Join us for an in-depth look at the new Power Apps features and capabilities at the free Microsoft Business Applications Launch Event.
Featuring samples like Return to the Workplace and Emergency Response Applications
Features releasing from October 2020 through March 2021